NTA Monitor

Latest News

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More

Retail sector faces serious IT security issues

23rd June 2008 The retail sector needs to set out its stall and ring the changes in its security vulnerabilities if it is to avoid the potential for hackers to gain unauthorised system access and disrupt service availability Read More

IT managers have more security headaches to deal with

11th May 2008 NTA Monitor's 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007 Read More

Solutions not excuses for patch management warns NTA Monitor

23rd April 2008 Patch management is a vital security requirement for any organsation Read More

PHP-Fusion messages.php SQL Injection Vulnerability

Overview

NTA Monitor discovered a SQL Injection vulnerability in the PHP-Fusion Content Management System (CMS) on 25 July 2005.

PHP-Fusion is a popular, lightweight Content Management System (CMS) written in PHP. It provides the most common characteristics you would expect to see in any other Content Management System. PHP-Fusion is easily extendable via plugins (fusions) which makes it a flexible and versatile Web Application.

The vulnerability was disovered by Petko Petkov while performing vulnerability assesment on PHP-Fusion version 6.00.106 and 6.00.107. Other versions might be affected too.

Vulnerability Details

PHP-Fusion root directory contains a number of files that define the basic Web Application behaviour. The Private Message System is handled by messages.php. By default, only authenticated users are allowed to use this file although it is possible to access certain parts from the Private Message System logic without being authenticated.

This file improperly sanitise some POST requests, as well. The incorrect handling of POST data can be used to manipulate some SQL queries. The code between line 111 and 129 is responsible for updating users' Private Message System Preferences:

if(isset($saveoptions)) {
	if ($_POST['update_type']=='new') {
		dbquery("INSERT INTO ".$db_prefix."messages_options ( user_id, pm_email_notify, pm_save_sent )
			VALUES ( 
			'".$userdata['user_id']."',
			'".$_POST['pm_email_notify']."',
			'".$_POST['pm_save_sent']."')"
										);

	} else {
		dbquery("UPDATE ".$db_prefix."messages_options SET 
			pm_email_notify='".$_POST['pm_email_notify']."',
			pm_save_sent='".$_POST['pm_save_sent']."'
			WHERE user_id='".$userdata['user_id']."'"
		);
	}

	$message = $locale['624'];
	}

POST fields pm_email_notify and pm_save_sent are not properly sanitised. Attackers can use the following HTTP requests to inject SQL statements into the first or the second dbquery function respectively:

POST /phpfusion/messages.php?saveoptions= HTTP/1.0
	Content-Length: 35

	update_type=new&pm_email_notify=%27
POST /phpfusion/messages.php?saveoptions= HTTP/1.0 
	Content-Length: 19 

	pm_email_notify=%27

Impact

In certain circumstances this vulnerability can be considered as a Medium, even Low risk. Unfortunately, most vulnerable PHP-Fusion instances allow attackers to execute any valid SQL statement on the database server.

Solution

All GET and POST fields needs to be properly sanitised before using them in SQL queries. You can temporarily prevent possible attacks by enabling the PHP Magic Quotes feature. For more information please read references provided below.

This advisory was first released on 25th July 2005.

References

http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml PHP Magic Quotes Manual Petko Petkov's PHP-Fusion messages.php Advisory